Bm-based fast chase decoding of binary bch codes through degenerate list decoding

ABSTRACT

An application specific integrated circuit (ASIC) tangibly encodes a method for fast polynomial updates in fast Chase decoding of binary Bose-Chaudhuri-Hocquenghem (BCH) codes. The method includes the steps of using outputs of a syndrome-based hard-decision (HD) algorithm to find a Groebner basis for a solution module of a modified key equation, upon failure of HD decoding of a BCH codeword received by the ASIC from a communication channel; evaluating polynomials obtained from said Groebner basis at inverses of specified weak-bit locations; and transforming a Groebner basis for a set of flipped weak-bit locations (α 1 , . . . , α r−1 ) to a Groebner basis for (α 1 , . . . , α r ), wherein α r  is a next weak-bit location, wherein r is a difference between a number of errors and a HD correction radius of the BCH codeword.

BACKGROUND Technical Field

Embodiments of the present disclosure are directed to methods of forming error correcting codes.

Discussion of the Related Art

In coding theory, BCH codes form a class of cyclic error-correcting codes (ECCs) that are constructed using finite fields. BCH codes are named for their inventors Raj Bose, D. K. Ray-Chaudhuri, and Alexis Hocquenghem. BCH codes can be defined as follows. For a correction radius t, the primitive binary BCH code of length 2^(m)−1 and designed distance d:=2t+1 is defined as the cyclic binary code of length n:=2^(m)−1 with roots α, α³, . . . , α^(2t−1) and their conjugates, where α is some primitive element in

₂*m. BCH codes allow a precise control over the number of symbol errors correctable by the code during code design. In particular, it is possible to design binary BCH codes that can correct multiple bit errors. BCH codes can also be easily decoded using an algebraic method known as syndrome decoding. This can simplify the design of the decoder for these codes by using small, low-power electronic hardware.

The syndrome of a received codeword y=x+e, where x is the transmitted codeword and e is an error pattern, is defined in terms of a parity matrix H. A parity check matrix of a linear code C is a generator matrix of the dual code C^(⊥), which means that a codeword c is in C iff the matrix-vector product Hc=0. Then, the syndrome of the received word y=x+e is defined as S=Hy=H(x+e)=Hx+He=0+He=He. For the high-rate codes commonly used in practice, syndromes are useful in that the length of the syndrome, the codimension of the code, is much less than the length of the received word. For BCH codes, it is useful to work with a syndrome that corresponds to a particular parity-check matrix. For jϵ{1, . . . , d−1}, let S_(j):=y(α^(j)), where for a field K and a vector f=(f₀, f₁, . . . f_(n−1))ϵK^(n), the vector f is identified with the polynomial f(X):=f₀+f₁X+ . . . +f_(n−1)X^(n−1)ϵK[X]. The syndrome polynomial associated with y is S(X):=S₁+S₂X+ . . . +S_(d−1)X^(d−2). In terms of syndromes, the main computation in decoding binary BCH codes is to determine polynomials ω(X), σ(X)ϵ

₂ _(m) [X], that satisfy the following equation, known as a key equation:

ω=Sσ mod X ^(2t),

where S is the syndrome polynomial, X is a free variable in the polynomial, ω(X)ϵ

₂ _(m) [X] is the error evaluator polynomial, defined by ω(X):=π_(i=1) ^(ε)α_(i)Π_(i≠1) (1+α_(j)X), σ(X)ϵ

₂ _(m) [X] is the error locator polynomial defined by σ(X):=Π_(i=1) ^(ε)(1+α_(i)X), α is the primitive element in

₂*m that was used to define the roots of the BCH code, ε is the actual number of hard-decision errors, α₁, . . . , α_(ϵ) are the error locations, that is, field elements pointing to the location of the errors, and t is the designed decoding radius of the BCH code.

The Berlekamp-Massey (BM) algorithm is an algorithm for decoding BCH codes that finds an estimated error locator polynomial (ELP) C(X)=1+C₁X+C₂X²+ . . . +C_(L)X^(L) which results in zero coefficients for X^(k) in S(X)C(X) for k=L, . . . , 2t−1[S]_(k)+C₁[S]_(k−1)+ . . . +C_(L)[S]_(k−L)=0, where L is the number of errors found by the algorithm, N=d−1=2t is the total number of syndromes, [S]_(i)=S₁₊₁ is the coefficient of X^(i) in the syndrome polynomial S(X) for all i, and k is an index that ranges from L to (N−1).

The BM algorithm begins by initializing C(X) to 1, L to zero; B(X) (a copy of the last C(X) since L was updated) to 1, b (a copy of the last discrepancy d since L was updated and initialized) to 1; and m (the number of iterations since L, B(X), and b were updated and initialized) to 1. The algorithm iterates from k=0 to N−1. At each iteration k of the algorithm, a discrepancy d is calculated:

d=[S] _(k) +C ₁ [S] _(k−1) + . . . +C _(L) [S] _(k−L).

If d is zero, C(X) and L are assumed correct for the moment, m is incremented, and the algorithm continues.

If d is not zero and 2L>k, C(X) is adjusted so that a recalculation of d would be zero:

C(X)=C(X)−(d/b)X ^(m) B(X).

The X^(th) term shifts B(X) to follow the syndromes corresponding to b. If the previous update of L occurred on iteration j, then m=k−j, and a recalculated discrepancy would be:

d=[S] _(k) +C ₁ [S] _(k−1)+ . . . −(d/b)([S] _(j) +B ₁ [S] _(j−1)+ . . . ).

This would change a recalculated discrepancy to: d=d−(d/b)b=d−d=0. Then, m is incremented, and the algorithm continues.

On the other hand, if d is not zero and 2L≤n, a copy of C is saved in vector T, C(X) is adjusted as above, B is updated from T, L is reset to (k+1−L), the discrepancy d is saved as b, m is reset to 1, and the algorithm continues.

A Chien search is an algorithm for determining roots of polynomials over a finite field, such as ELPs encountered in decoding BCH codes. Let α be a primitive element of a finite field with a multiplicative subgroup. Chien's search tests the non-zero elements in the field in the generator's order α¹, α², α³, . . . . In this way, every non-zero field element is checked. If at any stage the resultant polynomial evaluates to zero, then the associated element is a root.

Hard information for a received bit is the estimated bit value, i.e., 0 or 1, while “soft information” includes both an estimated value and the reliability of this estimation. This reliability may take many forms, but one common form is the probability, or an estimation of this probability, that the estimation is correct. For example, in the case of a single-level cell (SLC) flash memory, in which each cell stores a single bit, hard information is obtained with a single read (single threshold), while increasingly refined soft information is obtained from additional reads.

In hard-decision (HD) decoding, the hard-information vector (per-coordinate bit estimates) is used as the input of an error-correcting code (ECC) decoder, while in soft-decision (SD) decoding, a soft information vector (per-coordinate reliability vector on top of the hard-information vector) is used as the input of the ECC decoder.

Thus, soft information may be regarded as an estimate of the reliability of each bit estimate, on top of the bit estimates themselves. Hence, bits with a high enough reliability may be considered “strong”, while the remaining bits may be considered “weak”. For example, in an SLC flash memory, one read, e.g., with threshold level h, results in the HID vector, while two additional reads, e.g., with thresholds h+Δ, h−Δ, may be used to divide bits into strong and weak bits.

Chase decoding is a simple SD decoding algorithm for a code having only an HD decoding block, such as a BCH code. In Chase decoding, if an HD decoding fails, soft information is used to divide the received bits into strong, i.e., reliable, and weak, i.e., unreliable, bits. Suppose there are R weak bits. Some patterns of weak-bits flips are tested, such as all possible 2^(R) flipping possibilities. For each flipping pattern, HD decoding is used. If, for some flipping pattern, the number of post-flipping errors is less than t, the HD correction radius of the code, then the decoding is said to have succeeded.

Now consider binary BCH codes. These codes are widely used in NAND flash applications, both for themselves, and as component codes in generalized concatenated codes. In a conventional Chase decoder, for each tested flipping pattern, a full HD decoder is invoked. This involves a syndrome computation, invoking the BM algorithm to find the ELP, and a Chien search to find the roots of the ELP.

However, if, in moving from pattern i to pattern i+1, a single additional bit is flipped, is it necessary to run a full HD decoder for pattern i+1? One answer is the Welch-Berlekamp (WB) algorithm, which is an interpolation-based fast Chase decoding. The WB algorithm differs from the BM algorithm in that while the BM algorithm starts by calculating syndromes from the received word and then works only with the syndromes, the WB algorithm works directly on the received word. Note that for high-rate codes that are used in flash memories, it is more efficient to work with syndromes, because the total length (in bits) of all syndromes is much smaller than the total length of the received word. Hence, in this case it is worth converting the received word into syndromes once and for all at the beginning of decoding, and then to continue processing only the small syndromes. In addition, entirely replacing an existing BM-based HD decoder by a Welch-Berlekamp decoder is non-trivial, and for high-rate codes, to reduce the complexity of the Welch-Berlekamp algorithm to that of the BM algorithm, it is necessary to use a re-encoding transformation, which requires a new hardware design for the core HD decoder.

Another answer is Wu's algorithm, “Fast Chase Decoding Algorithms and Architectures for Reed-Solomon Codes”, IEEE Transactions on Information Theory, Vol. 58, No. 1, January 2012, pgs. 109-129, the contents of which are herein incorporated by reference in their entirety, which is a BM-based fast Chase decoding. In Wu's method, for each additional flipped bit, a calculation similar to the last step of the BM algorithm is performed, instead of the full BM algorithm, and a syndrome re-calculation is not required. Note that a conventional decoder uses the Berlekamp-Massey (BM) algorithm in each trial, so the number of finite field multiplications in the BM algorithm is O(t²), where t is defined above. In Wu's method, one can use the previous estimation of the ELP to obtain the next estimation in O(t) finite field multiplications. So, instead of naively re-running the BM algorithm, one uses the previous result to save time. Thus, each step is linear in t, instead of quadratic in t. In particular, in Wu's algorithm, each additional flipped bit requires two discrepancy calculations and two polynomial updates. However, the manipulated polynomials typically have a degree that grows from t to the actual number of errors, say, t+r.

Wu also has a heuristic stopping criterion for entering the Chien search. Note that a stopping criterion must never miss the correct error locator, but is allowed to have (rare) false positives. A false positive is just an unnecessary computation. If these unnecessary computations are rare, then they have practically no effect. Wu's stopping criterion never misses the correct error-locator polynomial, and rarely has a false positive, but does result in a small degradation in frame-error rate (FER) as compared to full Chien search.

SUMMARY

According to an embodiment of the disclosure, there is provided an application specific integrated circuit (ASIC) that tangibly encodes a method for fast polynomial updates in fast Chase decoding of binary Bose-Chaudhuri-Hocquenghem (BCH) codes. The method includes the steps of using outputs of a syndrome-based hard-decision (HD) algorithm to find a Groebner basis for a solution module of a modified key equation, upon failure of HD decoding of a BCH codeword received by the ASIC from a communication channel; evaluating polynomials obtained from said Groebner basis at inverses of specified weak-bit locations; and transforming a Groebner basis for a set of flipped weak-bit locations (α₁, . . . , α_(r−1)) to a Groebner basis for (α₁, . . . , α_(r)), wherein α_(r) is a next weak-bit location, wherein r is a difference between a number of errors and a HD correction radius of the BCH codeword.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram of a BM-based Chase decoding algorithm according to an embodiment of the disclosure.

FIG. 2 is a flowchart of a fast Chase pre-calculation according to an embodiment of the disclosure.

FIG. 3 illustrates an exemplary Wu-type tree for a 5-bit sequence, according to an embodiment of the disclosure.

FIG. 4 is a flowchart of a Koetter algorithm that is specialized for fast Chase decoding, according to an embodiment of the disclosure.

FIG. 5 illustrates a general method to convert the outputs of the standard BM algorithm to a Groebner basis to a generic module N, according to an embodiment of the disclosure.

FIG. 6 is a block diagram of a machine for performing BM-based fast chase decoding of binary BCH codes, according to an embodiment of the disclosure.

FIG. 7 is a flowchart of another method of obtaining h₁, h₂, and ĥ₁, ĥ₂. and w, according to an embodiment of the disclosure.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Exemplary embodiments of the invention as described herein generally provide systems and methods for performing BM-based fast chase decoding of binary BCH codes. While embodiments are susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that there is no intent to limit the invention to the particular forms disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Exemplary embodiments of the disclosure as described herein generally include systems and methods for a new polynomial-update algorithm that manipulates polynomials of degrees that typically grow from 0 to only 2r−1, and has a new stopping criterion that differs from Wu's criterion and that avoids unnecessary Chien searches. For example, if t=10 and r=3, Wu's polynomials typically have a degree that grows from 10 to 13. Polynomials in an algorithm according to an embodiment have a degree that typically grows from 0 to 5. A Chase decoder polynomial-update algorithm according to an embodiment is based on the BM algorithm, since the BM algorithm is already implemented and well-understood. Polynomials according to embodiments should be further processed to obtain the desired error-locator polynomial. This has a cost in complexity, but further processing is performed only when the stopping criteria suggests that the correct error-locator polynomial may have been obtained.

This disclosure will use terminology that is substantially similar to that in Massey's 1969 paper, Massey, J. L. (1969), “Shift-register synthesis and BCH decoding”, IEEE Trans. Information Theory, IT-15 (1): 122-127, the contents of which are herein incorporated by reference in their entirety.

FIG. 1 is a schematic block diagram of a BM-based Chase decoding algorithm according to an embodiment of the disclosure. Referring to the figure, a BM-based Chase decoding algorithm includes a syndrome calculation 11, a BM algorithm 12, fast Chase pre-calculations 13, fast Chase polynomial updates 14, error locator construction 15, and a Chien search 16. Steps 13, 14, and 15 are performed if HI) decoding fails. These steps will be described in detail below.

The syndromes are calculated from a received codeword at step 11 as described above. A BM algorithm as performed at step 12 is a modified version of the BM algorithm described above. A binary BM algorithm according to an embodiment of the disclosure is as follows.

The input is

(a) The correction radius t; and

(b) The syndrome polynomial S(X).

The output is:

(a) A polynomial C(X) such that (SC mod X^(2t), C) is an element of Ñ₁ of minimal order, where Ñ₁:={(u,v)ϵÑ|v(0)=1}, Ñ:={(u,v)ϵ

₂ _(m) [X]×

₂ _(m) [X]|u≡Sv mod(X^(2t))};

(b) An integer L defined by L:=ord(SC mod X^(2t), C), where ord(f₀,f₁):=max{deg(f₀)+1, deg(f₁)} is the order of (f₀, f₂);

(c) A polynomial B(X) tracking C(X) before the last length change;

(d) A polynomial B(X) tracking C(X) before the last length change in a virtual BM algorithm, where the virtual BM algorithm minimizes the order in N_(l), where

${N_{1}:=\left\{ {\left. {\left( {u,v} \right) \in N} \middle| {v(0)} \right. = 1} \right\}},{N:=\left\{ {\left( {u,v} \right) \in {{_{2^{m}}\lbrack X\rbrack} \times {_{2^{m}}\lbrack X\rbrack}}} \middle| {u \equiv {\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}v\; {{mod}\left( X^{t} \right)}}} \right\}},$

with an input syndrome

${\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}{mod}\; X^{t}},$

where S_(even)(X) and S_(odd)(X) are the even and odd parts, respectively, of S(X), defined in general below;

(e) An integer δ tracking the number of indices since the last length change; and

(f) An integer {tilde over (δ)} tracking the number of indices since the last length-change in the virtual BM algorithm. Note that

$u \equiv {\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}v\; {{mod}\left( X^{t} \right)}}$

is a modified key equation. The following initializations are performed:

-   -   C(X):=1, B(X):=1, {tilde over (B)}(X):=1, δ:=1, {tilde over         (δ)}:=1, L:=0, b:=1.

A BM algorithm according to an embodiment performs the following iterations.

for k=1 to t:

-   -   set d:=Coeff_(x) _(2k−2) (SC) //coeff. of X^(k′−1) for k′=2k−1     -   if d=0, then // minimum LFSR unchanged         -   update δ←δ+2         -   update {tilde over (δ)}←{tilde over (δ)}+1     -   if d≠0 and 2k−1<2L+1, then // LFSR change w/o length change         -   update C(X)←C(X)−db⁻¹X^(δ)B(X)         -   update δ←δ+2         -   update {tilde over (δ)}←{tilde over (δ)}+1     -   if d≠0 and 2k−1≥2L+1, then // length change         -   set TMP:=C(X)         -   update C(X)←C(X)−db⁻¹X^(δ)B(X)         -   set B(X):=TMP         -   set b:=d         -   set δ:=2         -   set L′:=2k−1−L // next length, temp. storage         -   if 2 does not divide L and L′=L+1 // no virtual length             change             -   update {tilde over (δ)}←{tilde over (δ)}+1         -   else // virtual length change             -   update {tilde over (B)}(X)←B(X)             -   set {tilde over (δ)}:=1         -   set L:=L′

Recall that in case of length-change, the BM algorithm saves the last C, i.e., the shortest LFSR before the length change, in B. A modified BM algorithm 12 according to an embodiment of the disclosure uses storage for two B polynomials instead of one, and maintains an additional polynomial B′ that is updated as follows. If there is a length change, i.e., when B has to be updated, then B′ is unchanged, if L, the minimum LFSR length, is odd and changes to L+1. So, in this case B′ has the value of B before the update. Otherwise, B′ changes, and is equal to the updated B.

A HD decoding is said to fail if the HD decoder failed to output a valid codeword. Because the HD decoder is limited to correcting up to t errors, if there are more than t errors, the typical result is a decoding failure. A much less probable case is to have an undetected error, in which the number of errors is so large that the decoder outputs some codeword, but this is not the transmitted codeword. If the BM algorithm 12 fails to output a valid codeword, then an algorithm according to embodiments of the disclosure branches to perform the fast Chase pre-calculations 13, the fast Chase polynomial updates 14, and the error locator construction 15, before performing the Chien search 16.

The fast Chase pre-calculations block 13 calculates some values that are unchanged during the fast Chase iterations, and thus can be pre-calculated once in advance.

First, for a field K, define a monomial ordering <_(r) on K[X]² as follows: (X^(i), 0)<(X^(j), 0) iff i<j, (0,X^(i))<(0,X^(j)) iff i<j, and (X^(i), 0)<(0,X^(j)) iff i≤j+r. In addition, for an even integers sϵ

, and a polynomial f(X)=f₀+f₁X+ . . . +f_(s)X^(s)ϵK[X], the odd part of f(X), f_(odd)(X), is f_(odd)(X):=f₁+f₃X+ . . . +f_(s−1)X^(s/2−1), while the even part of f(X), f_(even)(x), is f_(even)(X):=f₀+f₂X+ . . . +f_(s)X^(s/2). In the above definition, note that f(X)=f_(even)(X²)+Xf_(odd)(X²).

FIG. 2 is a flowchart of a fast Chase pre-calculation according to an embodiment of the disclosure. Referring to the figure, at step 21, from the B, C outputs of the BM algorithm, two pairs of polynomials, h₁=(h₁₀(X), h₁₁(X)), h₂=(h₂₀(X), h₂₁(X)), where X is the free variable, are prepared as follows. Let the pair h₁ be the odd and even parts of C, the minimum LFSR output by the BM algorithm. Let the pair h₂ be a shifted version, i.e., a multiplied by a power of X, of the odd and even parts of the polynomial B′. If the leading monomials of h₁ and h₂ with respect to the above monomial ordering contain distinct unit vectors, keep h₁ and h₂ unchanged, otherwise, at step 22, for exactly one iϵ{1,2}, writing j:={1,2}\{i}, replace h_(i)←h_(i)+cX^(l)h_(j) for come c and l, where cϵK* and lϵN are chosen such that the leading monomial of h_(i) is canceled. The resulting pair is a Groebner basis for a solution of the modified key equation

$u \equiv {\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}v\; {{mod}\left( X^{t} \right)}}$

for a <⁻¹ monomial ordering. Then, at step 23, for iϵ{1,2}, let {umlaut over (h)}_(i)(X):=h_(i1)(X²)+Xh_(i0)(X²). This combines the even and odd parts. Note that no calculations are involved. The polynomials ĥ₁(X) and ĥ₂ (X) are outputs of the pre-calculations block 13.

Next, let the weak bits coordinates be α₁, . . . , α_(R). At step 24, the pre-calculations block 13 calculates and outputs α₁ ⁻², . . . , α_(R) ⁻², as well as ĥ₁(α₁ ⁻¹), . . . , ĥ₁(α_(R) ⁻¹), ĥ₂(α₁ ⁻¹), . . . , ĥ₂(α_(R) ⁻¹), and a weight w defined as w:=2 deg(h₂₁)−t−(1−ε), where ε is the total number of errors, and ε=ε mod 2 is assumed known at the negligible cost of losing one information bit.

The polynomial update block uses the quantities pre-calculated by the pre-calculations block 13 along with weak bit coordinates from additional soft reads. Flipping patterns are arranged in a Wu-type tree in which in each path from the root to a leaf, one additional bit is flipped at each level of the tree. An exemplary Wu-type tree for a 5-bit sequence is shown in FIG. 3. Intermediate results may be saved for nodes 30 with more than one child node, which are boxed in the figure. The processing for one edge of the graph of FIG. 3, i.e., the processing for adding one more assumed error, is as follows.

Let the primitive binary BCH code being decoded have length 2^(m)−1, and let K be a finite field defined as K:=F₂ _(m) . Then search for two polynomials f₁(X), f₂(X)ϵK[X] such that the error-locator polynomial σ(X) is given by

σ(X)=f ₁(X ²)ĥ ₁(X)+f ₂(X ²)ĥ ₂(X),

where ĥ₁(X) and ĥ₂(X) are outputs of the pre-calculations block 13.

Let α₁, . . . , α_(r)ϵK be a set of potential error locations to be flipped, and consider the following interpolation task. Among all bivariate polynomials Q(X Y)=q₀(X)+Y_(q1)(X) of Y-degree of at most one that satisfy the following two conditions:

∀js·t·ĥ ₁(α_(j) ⁻¹)≠0:Q(α_(j) ⁻² ,ĥ ₂(α_(j) ⁻¹)/ĥ ₁(α_(j) ⁻¹))=0;  (1)

∀js·t·ĥ ₁(α_(j) ⁻¹)=0:

(α_(j) ⁻²,0)=0;  (2)

where

(X,Y):=q₁(X)+Yq₀(X) is the Y-reversed version of Q, find a polynomial Q(X Y) that minimizes the (1, w)-weighted degree, defined as

max(deg(q ₀),deg(q ₁)+w),

where w is an output of the pre-calculations block 13. Let L=L(α₁, . . . , α_(r)) be a module of those bivariate polynomials of Y-degree of at most one that satisfy the above two conditions, and let Q(X Y) by a polynomial on L that minimizes the weighted degree.

The basic ideas of a Chase decoding according to an embodiment are as follows.

1. Correctness: If all of the α_(j) are actual error locations and r≥ε−t, i.e., there is a correct flipping pattern that is at least as large as that required for a Chase trial, then the sought-after polynomials f₁(X) and f₂(X) appear in Q(X, F), that is, Q(X, Y)=c (f₁(X)+Y f₂(X)), for some non-zero constant c.

2. Groebner Basis: A minimizing Q(X, Y) appears in a Groebner Basis (GB) for L with an appropriate monomial ordering, such as a <_(w) ordering. Embodiments of the disclosure use GBs with two bivariate polynomials. An appropriate monomial ordering is a defined above with respect to the pre-calculations.

3. Fast Update: If there already exists a GB for L=L(α₁, . . . , α_(r−1)), it is easy to obtain a GB for an additional flipping, that is, for L(α₁, . . . , α_(r−1), α_(r)). A fast Chase update needs an algorithm for moving from a GB for L(α₁, . . . , α_(r−1)) to a GB for L(α₁, . . . , α_(r)). According to embodiments, one such algorithm is Koetter's algorithm.

Koetter's algorithm solves a more general interpolation than Chase decoding. FIG. 4 is a flowchart of a Koetter algorithm according to an embodiment that is specialized for fast Chase decoding, with a monomial <_(w) ordering.

The input to a Koetter algorithm according to an embodiment is a GB {g₁=(g₁₀(X), g₁₁(X)), g₂=(g₂₀(X), g₂₁(X))} for L(α₁, . . . , α_(r−1)) with the leading monomial (LM) of g₁ in the first coordinate and the LM of g₂ in the second coordinate, and the next error location α_(r). The output is a GB {g⁺ ₁=(g⁺ ₁₀(X), g⁺ ₁₁(X)), g⁺ ₂=(g⁺ ₂₀(X), g⁺ ₂₁(X))} for L(α₁, . . . , a_(r−1), α_(r)) with the LM of g⁺ ₁ in the first coordinate and the LM of g⁺ ₂ in the second coordinate.

Referring now to the figure, an algorithm according to an embodiment begins at step 41 by calculating, for j=, 2, a discrepancy:

$\Delta_{j}:=\left\{ {\begin{matrix} {{{{\hat{h}}_{1}\left( \alpha_{r}^{- 1} \right)}{g_{j\; 0}\left( \alpha_{r}^{- 2} \right)}} + {{{\hat{h}}_{2}\left( \alpha_{r}^{- 1} \right)}{g_{j\; 1}\left( \alpha_{r}^{- 2} \right)}}} & {{{if}\mspace{14mu} {{\hat{h}}_{1}\left( \alpha_{r}^{- 1} \right)}} \neq 0} \\ {g_{j\; 1}\left( \alpha_{r}^{- 2} \right)} & {otherwise} \end{matrix}.} \right.$

If, at step 42, d, =0 for some j, exit, and go to error locator construction 15, and Chien search 16. This is a stopping criterion according to an embodiment, and is described below.

An algorithm according to an embodiment continues at step 43 by setting J:={jϵ{1,2}|Δ_(j)≠0}. If, at step 44, J=Ø, output g₁, g₂ at step 45, and process the next error location α_(r+1). Otherwise, at step 46, let j*ϵJ be such that the LM(g_(j)*)=min_(j){LM(g_(j))}, where the LM and the minimization are with respect to the monomial ordering <_(w), where w is the pre-calculated weight. Then, at step 47, the polynomials are updated: for jϵJ,

${{{if}\mspace{14mu} j} \neq j^{*}},{{{{set}\mspace{14mu} g_{j}^{+}}:={g_{j} + {\frac{\Delta_{j}}{\Delta_{j^{*}}}g_{j^{*}}}}};}$ otherwise, set  g_(j)⁺ := (X + α_(r)⁻²)g_(j),

after which the algorithm returns to step 41.

A Koetter algorithm according to an embodiment for fast Chase decoding is called on the edges of Wu's tree, shown in FIG. 3. In particular, when the algorithm is first called, g₁=(1,0) and g₂=(0,1). Then, the previous output becomes the next input when one additional bit becomes one in the flipping pattern. For example, consider the following sequence of flipping patterns 31 in the tree shown in FIG. 3, assuming that there are 5 weak bits: 01000→01010→01110→11110→111111. Then the initial GB for the first flipping pattern (single flipped bit, 01000) is g₁=(1,0), g₂=(0,1) and α₁ is the field element pointing to the 2^(nd) weak bit (01000), and the output GB (g₁ ⁺, g₂ ⁺) becomes the input GB (g₁, g₂), this time with α₂ pointing to the fourth weak bit (01010), etc. A Koetter's algorithm according to an embodiment outputs two pairs of polynomials: g₁ ⁺ and g₂ ⁺. A fast Chase decoder according to an embodiment selects one of the two outputs—the one that has a smaller leading monomial.

Note that if up to r bits within the weak bits are flipped, then the depth of every path from the root to a leaf is at most r. Thus, according to embodiments of the disclosure, after applying a Koetter algorithm according to an embodiment r times, the sum of the degrees of the four involved polynomials is at most 2r−1:

deg(g ⁺ ₁₀)+deg(g ⁺ ₁₁)+deg(g ⁺ ₂₀)+deg(g ⁺ ₂₁)≤2r−1.

Note that it is possible that one of g⁻ ₁₁ or g⁺ ₂₀ is the zero polynomial, in which case the above formula is meaningless, since deg(0)=−∞. However, in such a case, it can be verified that the formula still holds when the sum on the left-hand side is only over the non-zero polynomials.

A stopping criterion for a Koetter algorithm according to an embodiment for fast Chase decoding is as follows. Suppose that α₁, . . . , α_(r) are correct flipping locations, and that r=ε−t, so that an error-locator polynomial can be constructed from the output of a Koetter's algorithm according to an embodiment. However, it is expensive to reconstruct σ(X) and perform a Chien search. However, suppose there exists one more erroneous location, α_(r+1), within the weak bits. Then, according to embodiments of the disclosure, in Koetter's iteration for adjoining α_(e+1) to α_(j), . . . , α_(r), one of the discrepancies will be zero: Δ_(j)=0 for some j. Thus, checking if one of the Δ_(j)'s is zero can serve as a stopping criterion. However, it is possible that some Δ_(j) is zero even if there is not a correct error-locator polynomial, i.e., Δ_(j) is a false positive. The cost of handling a false positive is an increased complexity. However, even if the false positive rate is of the order 1/100, or even 1/10, the overall increase in complexity is negligible, and a Monte Carlo simulation can be used to obtain a reliable estimation in such situations. The cost of a stopping criterion according to an embodiment involves performing half an iteration of the discrepancy calculation for a sphere of radius r+1 when ε−t is only r. This reduces the overall complexity gain over a brute force Chien search. When ε−t=r, r+1 errors are needed in the weak bits, which slightly degrades the FER in comparison to a brute force Chien search.

After performing the fast Chase polynomial updates and satisfying the stopping criteria, an algorithm constructs an error locator polynomial (ELP), as follows. First, let jϵ{1,2} be such that g_(j) ⁺=(g⁺ _(j0)(X), g⁺ _(j1)(X)) is the output of a Koetter's algorithm according to an embodiment, with a minimal leading monomial ordered according to <_(w). Then the ELP σ(X) can be reconstructed, up to a multiplicative constant, from σ(X)=g_(j0) ⁺(X²)ĥ₁(X)+g_(j1) ⁺(X²)ĥ₂(X). Here, the ĥ_(j)(X) are defined as follows: Letting {h₁, h₂} be a Groebner basis for the module N, where h₁=(h₁₀, h₁₁) has its leading monomial in the first coordinate and h₂=(h₂₀, h₂₁) has its leading monomial in the second coordinate. Then, for i=1,2, define ĥ_(i)(X):=h_(i1)(X²)+Xh_(i0)(X²).

According to further embodiments of the disclosure, a general method to convert the outputs of the standard BM algorithm to a Groebner basis to a generic module N with respect to the ordering <⁻¹ is as follows, as illustrated in the flowchart of FIG. 5. According to an embodiment, a generic module N is defined as N:={(u,v)ϵK[X]×K[X]|u≡g vmod(X^(m))}, where K is some field, mϵ

* is some integer, where N* is the integers without 0, and g(X)ϵK[X] is some polynomial, and g(X)≠0 mod X^(m). Referring now to the figure, at step 51, from the outputs C, B, δ of the BM algorithm with inputs m, g, form the following two pairs of polynomials:

b ₁:=(gC mod X ^(m) ,C), and

b ₂:=(gX ^(δ) B mod X ^(m) ,X ^(δ) B).

Then consider three cases, where leading monomials are ordered according to the ordering <⁻¹:

(1) If, at step 52, the leading monomials of b₁ and b₂ contain distinct unit vectors, then output {b₁, b₂} as the Groebner basis at step 53;

(2) If, at step 54, the leading monomials contain the same unit vector and the leading monomial of b₁ is at least as large as that of b₂, then output {b₁−cX^(l)b₂, b₂,} as the GB at step 55, where cϵK*, where K* is a multiplicative subgroup of K without 0, and lϵN are chosen such that the leading monomial of b₁ is canceled; and

(3) If, at step 56, the leading monomials contain the same unit vector and the leading monomial of b₂ is strictly larger than that of b₁, then output {b₁, b₂−cX^(l)b₁} as the GB at step 57, where cϵK* and lϵN* are chosen such that the leading monomial of b₂ is canceled. Note that these cases cover all possibilities.

According to further embodiments of the disclosure, there is also another way to obtain h₁, h₂, and consequently ĥ₁, ĥ₂. and w, as follows:

1. Calculate the modified syndrome,

$\hat{S}:={\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}{mod}\; {X^{t}.}}$

Note that there is an efficient way to do this, which will be described below.

2. Find a two-element Groebner basis {h₁, h₂} for the module N:={(u,v)ϵ

₂m[X]×

₂ _(m) [X]|u≡Ŝv mod(X^(t))}. This can be done in several different ways:

-   -   (a) Apply a conventional BM algorithm to the inputs t and Ŝ, and         then convert the outputs C, B, δ to the required Groebner basis         h₁, h₂ using the generic conversion method described above.     -   (b) Alternatively, use Fitzpatrick's algorithm.     -   (c) Alternatively, use the Euclidean algorithm.

Now, the calculation of the modified syndrome concerns the general question of finding

${\frac{f}{1 + X_{g}}{mod}\; X^{k}},$

where f, gϵK[X] are polynomials over some field K and k is some positive integer. For a polynomial t(X)=t₀+t_(j)X+ . . . t_(r)X^(r), write [t(X)]_(i):=t_(i), the coefficient of X^(i). For iϵ{1, . . . , k}, suppose there is a polynomial t_(i−1)(X) that satisfies the following two conditions: (1) deg(t_(i−1))≤i−1, and (2) t_(i−1)(1+Xg)=f mod X^(i). Define Δ=[f]_(i)−[t_(i−1) (1+Xg)]_(i). Then, t_(i):=t_(i−1)+ΔX^(i) satisfies conditions (1), (2) above with i+1 instead of i. Note that in the calculation of Δ, finding [t_(i−1)(1+Xg)]_(i) requires the calculation of one single coefficient of the multiplied polynomials. Furthermore, since deg(t_(i−1))≤i−1, then [t_(i−1)(1+Xg)]_(i)=[t_(i−1) g]_(i−1). This leads to a following algorithm according to an embodiment for calculating

${\frac{f}{1 + X_{g}}{mod}\; X^{k}},$

with reference to the flowchart of FIG. 7:

t := [f]₀ (Step 70) for i = 1 to k−l (Step 71) Δ := [f]_(i)− [t g]_(i−l) (Step 72) t ← t + Δ X^(i) (Step 73) end (Step 74) output t (Step 75) An algorithm according to an embodiment has zero delay, since the coefficient of X^(l) in the output t is in its final form after the i-th iteration, and can be pipelined with the Groebner basis algorithms of steps 2(a), 2(b) to speed up the processing.

Theoretical Background and Proof of Validity

The validity of the above method for fast Chase decoding will now be explained. In what follows, for a polynomial f, the notation

,

will sometimes be used for f_(even), f_(odd), respectively.

Definition

Define an

₂ _(m) [X]-module, L, as follows. As an abelian group, L=

₂ _(m) [X], but the scalar multiplication ·₁:

₂ _(m) [X]×L→L is defined by f(X)·₁g(X):=f(X²)g(X). Let μ:

₂ _(m) [X]×

₂ _(m) [X]→L be defined by (u(X),v(X))

v(X²)+Xu(X²), and note that μ is an isomorphism of

₂ _(m) [X]-modules.

Recall that we have defined

$N:=\left\{ {\left( {u,v} \right) \in {{_{2^{m}}\lbrack X\rbrack} \times {_{2^{m}}\lbrack X\rbrack}}} \middle| {u \equiv {\frac{\overset{even}{S}(X)}{1 + {X{\overset{odd}{S}(X)}}}v\; {mod}\; \left( X^{t} \right)}} \right\}$

as the solution module of the modified key equation. Define also M={uϵ

₂ _(m) [X]|u′≡Su mod (X^(2t))}, the solution module of the standard key equation in the binary case. The two solution modules are related through the following proposition. Proposition 1 (Relation between solution modules). M is an

₂ _(m) [X]-submodule of L and μ(N)=M. Hence p restricts to an isomorphism μ′: N{tilde over (→)}M.

Proof.

While the first assertion follows from the second, it can be verified directly. First, M is clearly an abelian subgroup of L, and so it remains to verify that for all fϵ

₂ _(m) [X] and all uϵM, f·₁uϵM. But

(f(x)·₁ u(X))′=(f(X ²)u(X))′=f(X ²)u′(X)≡f(X ²)Su=S·(f(X)·₁ u(X)),

where characteristic 2 was used in the second equation, and where ≡ stands for congruence modulo (X^(2t)).

Let us now turn to the second assertion. For a polynomial uϵ

₂ _(m) [X] we have u′(X)=

(X²), and so u is in M iff

$\begin{matrix} {{{\overset{odd}{u}\left( X^{2} \right)} \equiv {\left( {{\overset{even}{S}\left( X^{2} \right)} + {X{\overset{odd}{S}\left( X^{2} \right)}}} \right)\left( {{\overset{even}{u}\left( X^{2} \right)} + {X{\overset{odd}{u}\left( X^{2} \right)}}} \right)}} = {{{\overset{even}{S}\left( X^{2} \right)}{\overset{even}{u}\left( X^{2} \right)}} + {X^{2}{\overset{odd}{S}\left( X^{2} \right)}{\overset{odd}{u}\left( X^{2} \right)}} + {{X\left( {{{\overset{odd}{S}\left( X^{2} \right)}{\overset{even}{u}\left( X^{2} \right)}} + {{\overset{even}{S}\left( X^{2} \right)}{\overset{odd}{u}\left( X^{2} \right)}}} \right)}.}}} & (1) \end{matrix}$

Now, (1) is equivalent to the following pair of equations:

$\begin{matrix} {{{\overset{odd}{u}\left( X^{2} \right)} \equiv {{{\overset{even}{S}\left( X^{2} \right)}{\overset{even}{u}\left( X^{2} \right)}} + {X^{2}{\overset{odd}{S}\left( X^{2} \right)}{\overset{odd}{u}\left( X^{2} \right)}{{mod}\left( X^{2\; t} \right)}}}},{and}} & (2) \\ {0 \equiv {{{\overset{odd}{S}\left( X^{2} \right)}{\overset{even}{u}\left( X^{2} \right)}} + {{\overset{even}{S}\left( X^{2} \right)}{\overset{odd}{u}\left( X^{2} \right)}{{{mod}\left( X^{2\; t} \right)}.}}}} & (3) \end{matrix}$

So, we have shown that uϵM iff EQS. (2) and (3) are true. To prove the assertion, we will show that for all uϵ

₂ _(m) [X], (i) EQ. (3) follows from EQ. (2), so that uϵM iff EQ. (2), and (ii) EQ. (2) is equivalent to μ⁻¹(u)ϵN, so that uϵM iff μ⁻¹(u)ϵN. Let us start with (ii). Observe that for all u, EQ. (2) is equivalent to

$\begin{matrix} {{\overset{odd}{u}(X)} \equiv {{{\overset{even}{S}(X)}{\overset{even}{u}(X)}} + {X{\overset{odd}{S}(X)}{\overset{odd}{u}(X)}{{{mod}\left( X^{\; t} \right)}.}}}} & (4) \end{matrix}$

Collecting terms in the last equation, and noting that

$1 + {X{\overset{odd}{S}(X)}}$

has an inverse in

₂ _(m) [[X]], and hence in

₂ _(m) [X]/(X^(i)) for all i, we see that for all uϵ

₂ _(m) [X], EQ. (2) is equivalent to μ⁻¹(u)ϵN, as required.

Moving to (i), recall that in the binary case in question, for all i, S_(2i)=S_(i) ², and hence

${{S(X)}^{2} = {{S_{2} + {S_{4}X^{2}} + \ldots + {S_{{2\; d} - 2}X^{{2\; d} - 4}}} \equiv {{\overset{odd}{S}\left( X^{2} \right)}{{mod}\left( X^{2\; t} \right)}}}},$

recall that d=2t+1. Hence

${\left( {{\overset{even}{S}\left( X^{2} \right)} + {X{\overset{odd}{S}\left( X^{2} \right)}}} \right)^{2} \equiv {{\overset{odd}{S}\left( X^{2} \right)}{{mod}\left( X^{2\; t} \right)}}},{{that}\mspace{14mu} {is}},{\left( {\overset{even}{S}\left( X^{2} \right)} \right)^{2} \equiv {{X^{2}\left( {\overset{odd}{S}\left( X^{2} \right)} \right)}^{2} + {{\overset{odd}{S}\left( X^{2} \right)}{{mod}\left( X^{2\; t} \right)}}}},$

which is equivalent to

$\begin{matrix} {\left( {\overset{even}{S}(X)} \right)^{2} \equiv {{X\left( {\overset{odd}{S}(X)} \right)}^{2} + {{\overset{odd}{S}(X)}{{{mod}\left( X^{t} \right)}.}}}} & (5) \end{matrix}$

Now, to prove (i), assume that EQ. (2) holds, so that EQ. (4) also holds. Multiplying EQ. (4) by

$\mspace{20mu} {{{\overset{even}{S}(X)}\mspace{14mu} {and}\mspace{14mu} {writing}{`` \equiv "}{for}\mspace{14mu} {congruence}\mspace{14mu} {modulo}\mspace{14mu} \left( X^{t} \right)},{{we}\mspace{14mu} {get}}}$ ${{{\overset{odd}{u}(X)}{\overset{even}{S}(X)}} \equiv {{\left( {\overset{even}{S}(X)} \right)^{2}{\overset{even}{u}(X)}} + {X{\overset{odd}{S}(X)}{\overset{even}{S}(X)}{\overset{odd}{u}(X)}}}\overset{{(*})}{\equiv}{{\left( {1 + {X{\overset{odd}{S}(X)}}} \right){\overset{odd}{S}(X)}{\overset{even}{u}(X)}} + {X{\overset{odd}{S}(X)}{\overset{even}{S}(X)}{\overset{odd}{u}(X)}}}},$

where (*) follows from EQ. (5), which is equivalent to

${\left( {1 + {X{\overset{odd}{S}(X)}}} \right){\overset{odd}{u}(X)}{\overset{even}{S}(X)}} \equiv {\left( {1 + {X{\overset{odd}{S}(X)}}} \right){\overset{odd}{S}(X)}{{\overset{even}{u}(X)}.}}$

Canceling the term

${1 + {X{\overset{odd}{S}(X)}}},$

which is invertible in

₂ _(m) [X]/(X^(t)), we get

$0 \equiv {{{\overset{odd}{S}(X)}{\overset{even}{u}(X)}} + {{\overset{even}{S}(X)}{\overset{odd}{u}(X)}{{mod}\left( X^{t} \right)}}}$

which is equivalent to EQ. (3), as required.

The following proposition will be useful ahead. We omit the simple proof.

Proposition 2. Let K be Afield.

1. For rϵ

* and for any monomial ordering on K[X]^(r), let P⊂K[X]^(r) be a submodule with the following property: for all iϵ{0, . . . , r−1}, there is a vector fϵP such that LM(f) contains the i-th unit vector. Then P has a Groebner basis {h₁, . . . , h_(r)} with LM(h_(i)) containing the i-th unit vector for all i. 2. For any gϵK[X] and any sϵ

*, the submodule P:={(u,v)|u≡gv mod(X^(s))} of K[X]² satisfies the condition of part 1 of the theorem (as clearly (X^(s), 0), (0, X^(s))ϵP) and therefore has a two-element Groebner basis {h₁, h₂} with LM(h₁) containing (1,0) and LM(h₂) containing (0,1).

Note that in part 1 of the proposition, and hence also in part 2, the Groebner basis is also a free-module basis. The following proposition is a small modification of Proposition 2 of P. Beelen, T. Hoeholdt, J. S. R. Nielsen, and Y. Wu, “On rational interpolation-based list-decoding and list-decoding binary Goppa codes,” IEEE Trans. Inform. Theory, vol. 59, no. 6, pp. 3269-3281, June 2013, the contents of which are herein incorporated by reference in their entirety.

Proposition 3. Let {h₁=(h₁₀, h₁₁), h₂=(h₂₀, h₂₁)} be a Groebner basis for the module N with respect to the monomial ordering <⁻¹, and assume without loss of generality that that LM(h₁) contains (1,0) and LM(h₂) contains (0,1). Then 1. deg(h₁₀)+deg(h₂₁)=t. 2. For u=(u₀, u₁)ϵN, let f₁, f₂ϵ

₂ _(m) [X] be the unique polynomials such that u=f₁h₁+f₂h₂. Put ε′:=deg(μ(u))=deg(u₁(X²)+Xu₀(X²)). (a) If ε′ is even, so that ε′=2deg(u₁), then

deg(f ₁(X))≤deg(u ₁(X))−t+deg(h ₂₁(X))−1=:w ₁ ^(even)

deg(f ₂(X))=deg(u ₁(X))−deg(h ₂₁(X))=:w ₂ ^(even)

(b) Otherwise, if ε′ is odd, so that ε′=2deg(u₀)+1, then

deg(f ₁(X))=deg(u ₀(X))−t+deg(h ₂₁(X))=:w ₂ ^(odd)

deg(f ₂(X))≤deg(u ₀(X))−deg(h ₂₁(X))=:w ₂ ^(odd)

Definition

1. For h_(i)(i=1,2) as in the above proposition, let ĥ_(i):=μ(h_(i)), so that ĥ_(i) is the polynomial obtained by gluing the odd and even parts specified in h_(i). 2. Take u:=μ⁻¹(σ) in part 2 of the proposition, so that ε′=deg(σ)=ε is the number of errors in the received word y. For i=1,2, let f_(i)(X)ϵ

₂ _(m) [X] be the unique polynomials from the proposition for this choice of u, and let

${N_{1}:=\left\{ {\left. {\left( {u,v} \right) \in N} \middle| {v(0)} \right. = 1} \right\}},{N:=\left\{ {\left( {u,v} \right) \in {{_{2^{m}}\lbrack X\rbrack} \times {_{2^{m}}\lbrack X\rbrack}}} \middle| {u \equiv {\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}v\; {{mod}\left( X^{t} \right)}}} \right\}},$

Note that w₁+w₂=ε−t−1, regardless of the parity of ε. The following proposition is a small modification of p. 148 of J. S. R. Nielsen, “List Decoding of Algebraic Codes,” Ph.D. Thesis, Dep. of Applied Mathematics and Computer Science, Technical University of Denmark, 2013, the contents of which are herein incorporated by reference in their entirety. The proof is omitted, which is similar to that appearing in the above reference.

Proposition 4.

1. Suppose that there exists some free-module basis {g₁, g₂} for N such that gcd(μ(g₁),u(g₂))=1. Then for any free-module basis {h₁,h₂} for N it holds that gcd(μ(h₁),μ(h₂))=1. 2. N has a free-module basis {g₁, g₂} with gcd(μ(g₁), μ(g₂))=1. Let us now return to the error-locator polynomial, σ(X). Let {h₁, h₂} be a GB for N as in Proposition 3, and recall that ε=deg(σ) is the number of errors in the received word. Let f₁,f₂ϵ

₂ _(m) [X] be the unique polynomials such that μ⁻¹(σ)=f₁h₁+f₂h₂. Since μ is a homomorphism, we have

$\begin{matrix} {{{\sigma = {{\mu \left( {{f_{1}h_{1}} + {f_{2}h_{2}}} \right)} = {{{{f_{1}(X)} \cdot_{1}{\mu \left( h_{1} \right)}} + {{f_{2}(X)} \cdot_{1}{\mu \left( h_{2} \right)}}} = {{{f_{1}\left( X^{2} \right)}{\hat{h}}_{1}} + {{f_{2}\left( X^{2} \right)}{\hat{h}}_{2}}}}}},\mspace{20mu} {{that}\mspace{14mu} {is}}}\mspace{20mu} {{\sigma (X)} = {{{f_{1}\left( X^{2} \right)}{{\hat{h}}_{1}(X)}} + {{f_{2}\left( X^{2} \right)}{{{\hat{h}}_{2}(X)}.}}}}} & (6) \end{matrix}$

Hence,

∀xϵRoots(σ,

₂ _(m) ),f ₁(x ²)·ĥ ₁(x)+f ₂(x ²)·ĥ ₂(x)=0,  (7)

and also, by Proposition 4,

∀xϵ

₂ _(m) *,ĥ ₁(x)=0⇒ĥ ₂(x)≈0.  (8)

Note that h₁ and h₂ depend only on the received word (through the syndrome), and the decoder's task is to find f₁,f₂, as σ can be restored from f₁,f₂.

The interpolation theorem below indicates how EQ. (7) can be used for finding f₁ and f₂. Before stating this theorem, we will need some additional definitions, following P. Trifonov, and M. H. Lee, “Efficient interpolation in the Wu list decoding algorithm,” IEEE Trans. Inform. Theory, vol. 58, no. 9, pp. 5963-5971, September 2012, the contents of which are herein incorporated by reference in their entirety.

Definition

1. Let K be a field. A polynomial of the form f(X, Y, Z):=Σ_(j=0) ^(ρ)Σ_(i)a_(ij)X^(i)Y^(j)Z^(ρ−j) for some ρϵN, where a_(ij)ϵK for all i, j, will be called a (Y,Z)-homogeneous polynomial of (Y,Z)-homogeneous degree ρ. We will write Homog_(Y,Z) ^(K)(ρ) for the K[X]-sub-module of polynomials in K[X, Y, Z] which are (Y, Z)-homogeneous with (Y, Z)-homogeneous degree ρ, and set Homog_(Y,Z) ^(K):=U_(ρ≥0) Homog_(Y,Z) ^(K)(ρ). 2. For f(X, Y, Z)ϵHomog_(Y,Z) ^(K)(ρ), let {tilde over (f)}(X,Y):=f(X, Y, 1). Also, let {circumflex over (f)}(X,Y) be the Y-reversed version of {tilde over (f)}(X,Y), that is, {circumflex over (f)}(X,Y):=Y^(ρ){tilde over (f)}(X,Y⁻¹). Writing M_(K)(ρ) for the K[X]-submodule of K[X,Y] consisting of all polynomials of Y-degree at most ρ, it can be verified that ({tilde over (⋅)}): Homog_(Y,Z) ^(K)(ρ)→M_(K)(ρ) is an isomorphism of K[X]-modules.

With the above definition, we can state the interpolation theorem. In the sequel, mult(f,x) stands for the multiplicity of fϵK[X], where K is some field and X=(X₁, . . . , X_(n)) for some nϵ

*, at the point xϵK^(n), that is, for the minimum total degree of a monomial appearing in f(X+x). Also, for w=(w₁, . . . , w_(n))ϵ

^(n), wdeg_(w)(f) will stand for the w-weighted degree of f, the maximum of w₁i₁+ . . . +w_(n)i_(n) over all monomials X₁ ^(i) ¹ . . . X_(n) ^(i) ^(n) appearing in f.

The following theorem can be deduced from the results of Trifonov and Lee.

Theorem 1. (The Interpolation Theorem) For any field K, let Q(X, Y, Z)ϵHomog_(Y,Z) ^(K), and let f₁(X),f₂(X)ϵK[X] be polynomials with deg(f₁(X))≤w′₁ and deg(f₂(X))≤w′₂ for some w′₁, w′₂ϵ

. For eϵ

*, let {(x_(i), y_(i), z_(i))}_(i=1) ^(e)⊆K³ be a set of triples satisfying the following conditions: 1. The x_(i) are distinct. 2. The y_(i) and z_(i) are not simultaneously zero, that is, for all i, y_(i)=0⇒=z_(i)≠0. 3. For all i, z_(i)f₁(x_(i))+y_(i)f₂(x_(i))=0.

Then, if

${\sum\limits_{i = 1}^{e}\; {{mult}\left( {{Q\left( {X,Y,Z} \right)},\left( {x_{i},{y_{i} - z_{i}}} \right)} \right)}} > {{wdeg}_{1,w_{1}^{\prime},w_{2}^{\prime}}\left( {Q\left( {X,Y,Z} \right)} \right)} <$

then Q(X,f₁(X),f₂(X))=0 in K[X].

Definition

For a vector m={m_(x)}_(xϵ)

₂ _(m*)ϵ

² ^(m*) of multiplicities, let a(m):={Qϵ

₂ _(m) [X, Y, Z]|∀xϵ

₂ _(m) *,mult(Q,(x²,ĥ₂(x),ĥ₁(x)))≥m_(x) ⁻¹ } be the ideal of all polynomials having the multiplicities specified in m. Also, for ρϵ

, let M(m,ρ) be the

₂ _(m) [X]-submodule of

₂ _(m) [X, Y, Z] defined by

M(m,ρ):=a(m)∩

(ρ).

The proof of the following proposition is straightforward. Proposition 5. Let {tilde over (M)}(m,ρ) be the image of M(m,ρ) under the isomorphism ({tilde over (⋅)}). Then {tilde over (M)}(m,ρ) is the

₂ _(m) [X]-module of all polynomials Pϵ

₂ _(m) [X, Y] satisfying 1. wdeg_(0,1)(P)≤ρ, 2. For all x with ĥ₁(x)≠0,

${{mult}\left( {P,\left( {x^{2},\frac{{\hat{h}}_{2}(x)}{{\hat{h}}_{1}(x)}} \right)} \right)} \geq {m_{x^{- 1}}.}$

3. For all x with ĥ₁(x)=0 (and hence with ĥ₂(x)≠0),

mult(Y ^(ρ) P(X,Y ⁻¹),(x ²,0))≥m _(x) ⁻¹ .

Moreover, for a polynomial RϵM(m,ρ), we have

wdeg_(1,w) ₁ _(,w) ₂ (R)=wdeg_(1,w) ₁ _(−w) ₂ ({tilde over (R)})+w ₂ρ.

Hence, if Pϵ{tilde over (M)}(m,ρ) has the minimal (1,w₁−w₂)-weighted degree in {tilde over (M)}(m,ρ), then the RϵM(m,ρ) with {tilde over (R)}=P has the minimal (1, w₁, w₂)-weighted degree in M(m,ρ).

Let us now proceed to a success criterion for decoding. Later, we will show that the validity of fast Chase decoding follows as a special case. The following proposition follows easily from the Interpolation Theorem (Theorem 1).

Proposition 6. Suppose that I⊆

₂ _(m) * is the set of erroneous coordinates (so that |I|32 ε). Let J⊆

₂ _(m) * be some subset, and for mϵ

*, define m by setting, for all xϵ

₂ _(m) *,

$m_{x}:=\left\{ {\begin{matrix} m & {{{{if}\mspace{14mu} x} \in J},} \\ 0 & {otherwise} \end{matrix}.} \right.$

Let also ρϵN*. Then if ε≥t+1 and

$\begin{matrix} {{{m \cdot {{I\bigcap J}}} > {\frac{{J} \cdot {m\left( {m + 1} \right)}}{2\left( {\rho + 1} \right)} + {\frac{\rho}{2}\left( {ɛ - t - 1} \right)}}},} & (9) \end{matrix}$

then a non-zero polynomial {tilde over (Q)}(X,Y) minimizing the (1,w₁−w₂)-weighted degree in {tilde over (M)}(m,ρ) satisfies (Yf₂(X)+f₁(X))|{tilde over (Q)}(X,Y).

For using the previous proposition in our context of fast Chase decoding, let us now consider the special case of Proposition 6 where ϵ≥t+1, p=1, m=1, J⊂I, and |J|≥ε−t. This case corresponds to a correct Chase trial, in which a multiplicity of 1 was assigned only to erroneous locations, and to at least ε−t erroneous locations.

Write δ:=|J|−(ε−t)≥0. Then with the current assumptions, EQ. (9) reads

${{{J} > {\frac{J}{2} + {\frac{1}{2}\left( {{J} - \delta - 1} \right)}}} = {{J} - {\frac{1}{2}\left( {\delta + 1} \right)}}},$

and is therefore satisfied. This immediately shows that fast Chase decoding can be based on the above degenerate case of Wu-like soft decoding, provided that Koetter's algorithm, a point-by-point algorithm, is used for interpolation. Since the Y-degree is limited to ρ=1, the list size in this case will be exactly 1, and there is no need in a factorization step.

In detail, suppose that j is indeed a set of error locations with |J|≥ε−t, and let {tilde over (Q)}(X, Y) be a non-zero polynomial minimizing the (1, w₁−w₂)-weighted degree in {tilde over (M)}(m,ρ) for ρ=1 and for m=1_(j), where 1_(j)

₂ _(m) *{0,1} is the indicator function on J.

If f₂(X)=0, then it can be verified that σ=c·ĥ₁ for some constant c. This means that before starting the Chase iterations, the decoder must check whether ĥ₁ may be an error-locator polynomial.

If ĥ₁ does not qualify as a potential error-locator polynomial, then the above discussion shows that f₂≠0. Assume, therefore, that f₂≠0. Since the Y-degree in {tilde over (M)}(1_(j), 1) is upper bounded by ρ=1, Proposition 6 shows that there exists some non-zero polynomial t(X)ϵ

₂ _(m) [X] such that

{tilde over (Q)}(X,Y)=t(X)·(Yf ₂(X)+f ₁(X)).  (10)

Proposition 7. In EQ. (10), t(X) must be a constant in

₂ _(m) *, so that f₁ and f₂ can be read off {tilde over (Q)}(X,Y) without any further calculations.

Proof.

For xϵ

₂ _(m) * with x⁻¹ϵJ, let

$p_{x}:=\left\{ {\begin{matrix} \left( {x^{2},\frac{{\hat{h}}_{2}(x)}{{\hat{h}}_{1}(x)}} \right. & {{{if}\mspace{14mu} {{\hat{h}}_{1}(x)}} \neq 0} \\ \left( {x^{2},0} \right) & {{{if}\mspace{14mu} {{\hat{h}}_{1}(x)}} = 0} \end{matrix}.} \right.$

Letting also J₁ ⁻¹:={x|x⁻¹ϵJ and ĥ₁(x)≠0} and J₂ ⁻¹:={x|x⁻¹ϵJ and ĥ₁(x)=0}, a polynomial of the form R₀(X)+YR₁(X)ϵ

₂ _(m) [X,Y] is in {acute over (M)}(1_(j), 1) iff for all xϵJ₁ ⁻¹, (R₀(X)+YR₁(X))(p_(x))=0, and for all xϵJ₂ ⁻¹, (R₁(X)+YR₀(X))(p_(x))=0.

With this description in mind, EQS. (7) and (8) show that Yf₂(X)+f₁(X) itself is already in {tilde over (M)}(1_(j), 1). Recall that J is assumed to include only error locations, that is, inverses of roots of σ(X). Now, for a non-zero t(X), the (1, w₁−w₂)-weighted degree of t(X)(Yf₂(X)+f₁(X)) is strictly larger than that of Yf₂(X)+f₁(X), unless t(X) is a constant. As {tilde over (Q)}(X,Y) minimizes the weighted degree, this shows that t(X) must be a non-zero constant, as required.

The above discussion justifies Koetter's iterations from FIG. 4.

Let us now turn to the validity of FIG. 2, and briefly describe how the suggested method indeed produces ĥ₁, ĥ₂. First, as already stated above, the output of the BM algorithm for the module N, with inputs being the modified syndrome Ŝ and the integer t, can be used to find a Groebner basis {h₁, h₂} for N, where we omit the rather long proof. This means that if we do calculate the modified syndrome, then the BM algorithm for M can be used for obtaining the required Groebner basis.

Let us refer to the BM algorithm with inputs the syndrome S and the integer 2t as the “usual BM algorithm”. To completely avoid the calculation of the modified syndrome and, instead, to use the usual BM algorithm, it is possible to apply a method for converting the outputs of the usual BM algorithm to an equivalent of the outputs of the BM algorithm for N. For this, recall first that if C^(usual)ϵ

₂ _(m) [X] is the output C of the usual BM algorithm, then C^(usual) is in the module M (see, e.g., pp. 25-26 of E. R. Berlekamp, “Nonbinary BCH codes,” Institute of Statistics, Mimeo Series no. 502, Department of Statistics, University of North Carolina, December 1966), the contents of which are herein incorporated by reference in their entirety. Consequently,

${{{ord}\left( {{\overset{\_}{{SC}^{{usual}^{\;}}}}^{({2t})},C^{usual}} \right)} = {\deg \left( C^{usual} \right)}},$

where for integer k and a polynomial gϵ

₂ _(m) [X],g ^((k)):=g mod X^(k), a unique representative of degree ≤k−1. Proposition 8. For fϵ

₂ _(m) [X], it holds that

$\begin{matrix} {{{ord}\left( {\mu^{- 1}(f)} \right)} = {\left\lceil \frac{\deg (f)}{2} \right\rceil.}} & (11) \end{matrix}$

Consequently, μ⁻¹(C^(usual)) has the minimum order in the set N₁:={(u,v)ϵN|v(0)=1}.

Proof.

We have

$\begin{matrix} {{{ord}\left( {\mu^{- 1}(f)} \right)} = {{ord}\left( {\overset{odd}{f},\overset{even}{f}} \right)}} \\ {\overset{(a)}{=}\left( \begin{matrix} {\deg\left( \overset{even}{f} \right)} & {{if}\mspace{14mu} {\deg (f)}\mspace{14mu} {is}\mspace{14mu} {even}} \\ {{\deg\left( \overset{odd}{f} \right)} + 1} & {{if}\mspace{14mu} {\deg (f)}\mspace{14mu} {is}\mspace{14mu} {odd}} \end{matrix} \right.} \\ {{= \left\lceil \frac{\deg (f)}{2} \right\rceil},} \end{matrix}$

where for (a), note that if deg(f) is even, then

${{\deg\left( \overset{even}{f} \right)} > {\deg\left( \overset{odd}{f} \right)}},$

while if deg(f) is odd, then

${\deg\left( \overset{odd}{f} \right)} \geq {{\deg\left( \overset{even}{f} \right)}.}$

This proves EQ. (11), and the second assertion is an immediate consequence of EQ. (11).

It follows from the proposition that from the output C^(usual) of the BM algorithm for the inputs S(X) and 2t, we can immediately obtain some element of minimal order in N₁ by taking μ⁻¹(C^(usual)). Note that an element of minimal order might not be unique, and the above does not necessarily mean that μ⁻¹(C^(usual)) corresponds to the outputs of the BM algorithm for N. However, using Theorem 3 of Massey's paper, which describes the set of all minimal-order elements in N₁, together with the last proposition, it can be verified that the outputs of the modified BM algorithm of the previous section are sufficient for producing the required Groebner basis. The details are omitted.

System Implementations

It is to be understood that embodiments of the present disclosure can be implemented in various forms of hardware, software, firmware, special purpose processes, or a combination thereof. In one embodiment, the present disclosure can be implemented in hardware as an application-specific integrated circuit (ASIC), or as a field programmable gate array (FPGA). In another embodiment, the present disclosure can be implemented in software as an application program tangible embodied on a computer readable program storage device. The application program can be uploaded to, and executed by, a machine comprising any suitable architecture.

FIG. 6 is a block diagram of a system for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with a block cipher code, according to an embodiment of the disclosure. Referring now to FIG. 6, a computer system 61 for implementing the present invention can comprise, inter alia, a central processing unit (CPU) 62, a memory 63 and an input/output (I/O) interface 64. The computer system 61 is generally coupled through the I/O interface 64 to a display 65 and various input devices 66 such as a mouse and a keyboard. The support circuits can include circuits such as cache, power supplies, clock circuits, and a communication bus. The memory 63 can include random access memory (RAM), read only memory (ROM), disk drive, tape drive, etc., or a combinations thereof. The present disclosure can be implemented as a routine 67 that is stored in memory 63 and executed by the CPU 62 to process the signal from the signal source 68. As such, the computer system 61 is a general purpose computer system that becomes a specific purpose computer system when executing the routine 67 of the present invention. Alternatively, as described above, embodiments of the present disclosure can be implemented as an ASIC or FPGA 67 that is in signal communication with the CPU 62 to process the signal from the signal source 68.

The computer system 61 also includes an operating system and micro instruction code. The various processes and functions described herein can either be part of the micro instruction code or part of the application program (or combination thereof) which is executed via the operating system. In addition, various other peripheral devices can be connected to the computer platform such as an additional data storage device and a printing device.

It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures can be implemented in software, the actual connections between the systems components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings of the present invention provided herein, one of ordinary skill in the related art will be able to contemplate these and similar implementations or configurations of the present invention.

While the present invention has been described in detail with reference to exemplary embodiments, those skilled in the art will appreciate that various modifications and substitutions can be made thereto without departing from the spirit and scope of the invention as set forth in the appended claims. 

1. An application specific integrated circuit (ASIC) tangibly encoding a program of instructions executable by the integrated circuit to perform a method for fast polynomial updates in fast Chase decoding of binary Bose-Chaudhuri-H-Hocquenghem (BCH) codes, the method comprising the steps of: receiving, by the ASIC, a BCH codeword from a communication channel; using outputs of a syndrome-based hard-decision (HD) algorithm to find a Groebner basis for a solution module of a modified key equation, upon failure of HD decoding of the BCH codeword; the ASIC evaluating polynomials obtained from said Groebner basis at inverses of specified weak-bit locations; and the ASIC transforming a Groebner basis for a set of flipped weak-bit locations (α₁, . . . , α_(r−1)) to a Groebner basis for (α₁, . . . , α_(r)), wherein α_(r) is a next weak-bit location, wherein r is a difference between a number of errors and a HD correction radius of the BCH codeword.
 2. The ASIC of claim 1, wherein a polynomial of the Groebner basis for (α₁, . . . , α_(r)) has a degree of at most of order r.
 3. The ASIC of claim 1, wherein the syndrome-based HD algorithm is selected from a group that includes the Berlekamp-Massey (BM) algorithm and Fitzpatrick's algorithm.
 4. The ASIC of claim 1, wherein using outputs of a syndrome-based HD algorithm to find a Groebner basis for a solution module of a modified key equation comprises: setting a polynomial h₁=(h₁₀(X), h₁₁(X)) be the odd and even parts of C, respectively, and a polynomial h₂=(h₂₀(X), h₂₁(X)) be respectively a shifted version of the odd and even parts of B′, wherein polynomials B′(X) and C(X) are output from a Berlekamp-Massey (BM) algorithm performed on syndromes of the BCH codeword, wherein C(X) is such that (SC mod X^(2t),C) is an element of Ñ₁ of minimal order, wherein Ñ₁:={(u,v)ϵÑ|v(0)=1}, Ñ₁:={(u,v)ϵ

₂ _(m) [X]×

₂ _(m) [X]|u≡Sv mod(X^(2t))}, t is a correction radius of the BCH codeword, and S_(even)(X) and S_(odd)(X) are even and odd parts of the syndrome polynomial, respectively, and polynomial B′(X) tracks C(X) before a last length change in a virtual BM algorithm, where the virtual BM algorithm minimizes an order in N₁, wherein ${N_{1}:=\left\{ {{{\left( {u,v} \right) \in N}{v(0)}} = 1} \right\}},{N:=\left\{ {{\left( {u,v} \right) \in {_{2}{m\lbrack X\rbrack} \times _{2}{m\lbrack X\rbrack}}}{u \equiv {\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}v\; {{mod}\left( X^{t} \right)}}}} \right\}},$ with an input syndrome $\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}\; {mod}\; X^{t}$ and the modified key equation is ${u \equiv {\frac{S_{even}(X)}{1 + {{XS}_{odd}(X)}}v\; {{mod}\left( X^{t} \right)}}},$ replacing h_(i)←h_(i)+cX^(l)h_(i) for one iϵ{1,2}, if h₁ and h₂ do not have a same leading monomial, wherein cϵK′ and lϵ

are chosen such that the leading monomial of h_(i) is canceled; and setting ĥ_(i)(X):=h_(i1)(X²)+Xh_(i0)(X²), for iϵ{1,2}, wherein {h₁(X),h₂(X)} is the Groebner basis for the solution module of the modified key equation.
 5. The ASIC of claim 4, wherein evaluating polynomials obtained from said Groebner basis at the inverses of specified weak-bit locations comprises calculating the inverses of the specified weak-bit locations α₁ ⁻², . . . , α_(R) ⁻², of the BCH codeword, and evaluating polynomials ĥ₁(α₁ ⁻¹), . . . , ĥ₁(α_(R) ⁻¹), . . . , ĥ₂(α_(R) ⁻¹) and further comprising calculating a weight w:=2 deg(h₂₁)−t−(1−ε), wherein ε=ε mod 2 and ε is a total number of errors in the BCH codeword.
 6. The ASIC of claim 1, wherein transforming a Groebner basis for a module L(α₁, . . . , α_(r−1)) to a Groebner basis for a module L(α₁, . . . , α_(r)) comprises: initializing a Groebner basis g₁, g₂, as g₁=(g₁₀(X), g₁₁(X))=(1,0) and g₂=(g₂₀(X), g₂₁(X))=(0,1); calculating, for j=1, 2, a discrepancy $\Delta_{j}:=\left\{ {\begin{matrix} {{{{\hat{h}}_{1}\left( \alpha_{r}^{- 1} \right)}{g_{j\; 0}\left( \alpha_{r}^{- 2} \right)}} + {{{\hat{h}}_{2}\left( \alpha_{r}^{- 1} \right)}{g_{j\; 1}\left( \alpha_{r}^{- 2} \right)}}} & {{{if}\mspace{14mu} {{\hat{h}}_{1}\left( \alpha_{r}^{- 1} \right)}} \neq 0} \\ {g_{j\; 1}\left( \alpha_{r}^{- 2} \right)} & {otherwise} \end{matrix};{{{setting}\mspace{14mu} J}:=\left\{ {{j \in \left\{ {1,2} \right\}}{\Delta_{j} \neq 0}} \right\}};} \right.$ outputting g₁, g₂ and processing a next error location α_(r+1), if J=Ø, otherwise setting j*ϵJ such that the LM(g_(j)*)=min_(j){LM(g_(j))}; and updating, for ${j \in J},{g_{j}^{+}:={g_{j} + {\frac{\Delta_{j}}{\Delta_{j^{*}}}g_{j^{*}}}}},{{{if}\mspace{14mu} j} \neq j^{*}},$ and g_(j) ⁺=(X+α_(r) ⁻²)g_(j), otherwise.
 7. The ASIC of claim 6, the method further comprising determining whether one of the discrepancies Δ_(j) is zero, and stopping calculation of the Groebner basis for a module L(α₁, . . . , α_(r)), if it is determined that discrepancy Δ_(j) is zero.
 8. The ASIC of claim 1, the method further comprising calculating a final error-locator polynomial σ(X) from a Groebner basis h₁=(h₁₀, h₁₁) and h₂=(h₂₀, h₂₁) for the solution of the modified key equation and the Groebner basis g_(j) ⁺=(g⁺ _(j0)(X), g⁺ _(j1)(X)) for (α₁, . . . , α_(r)) from σ(X)=a(g _(j0) ⁺(X ²)(h ₁₁(X ²)+Xh ₁₀(X ²)+g _(j1) ⁺(X ²)(h ₂₁(X ²)+Xh ₂₀(X ²))), wherein a is a multiplicative constant. 